AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-11-19 · Documentation low

File: controltower/latest/controlreference/tagging.md

Summary

Updated references from 'AWS CloudFormation' to 'CloudFormation' for consistency, and clarified IAM permission requirements for tag visibility in drift detection.

Security assessment

The changes primarily involve branding terminology updates (removing redundant 'AWS' from CloudFormation references). While the documentation emphasizes the need for the `ListTagsforResource` IAM permission to avoid drift detection inaccuracies, this is an operational guidance improvement rather than addressing a specific security vulnerability. The permission requirement was already documented in previous versions, and the update does not introduce new security controls or address a disclosed vulnerability.

Diff

diff --git a/controltower/latest/controlreference/tagging.md b/controltower/latest/controlreference/tagging.md
index db3b4c600..1d2dbbc80 100644
--- a//controltower/latest/controlreference/tagging.md
+++ b//controltower/latest/controlreference/tagging.md
@@ -7 +7 @@
-You can add tags to `EnabledControl` resources by means of AWS CloudFormation templates, through the AWS Control Tower console, and by calling the AWS Control Tower APIs.
+You can add tags to `EnabledControl` resources by means of CloudFormation templates, through the AWS Control Tower console, and by calling the AWS Control Tower APIs.
@@ -15 +15 @@ The AWS Control Tower `GetEnabledControl`, `EnableControl`, and `ListTagsforReso
-When you configure resource tags with CloudFormation, you must add the new `ListTagsforResource` IAM permission to the policy for the customer-managed role that you use to update your controls. If you do not add the permission, the CloudFormation template may have the tags, but AWS CloudFormation cannot see them without the ability to call `ListTagsforResource`. If you already have created a role that updates your AWS Control Tower landing zone, that role probably has this permission in place already, because the same permission is required to view tags associated with the landing zone resource. 
+When you configure resource tags with CloudFormation, you must add the new `ListTagsforResource` IAM permission to the policy for the customer-managed role that you use to update your controls. If you do not add the permission, the CloudFormation template may have the tags, but CloudFormation cannot see them without the ability to call `ListTagsforResource`. If you already have created a role that updates your AWS Control Tower landing zone, that role probably has this permission in place already, because the same permission is required to view tags associated with the landing zone resource. 
@@ -47 +47 @@ JSON
-If you do not add the proper permissions, you can experience some side-effects that we refer to as _false positive or false negative CloudFormation drift_. During CloudFormation drift, the **Detect drift** command in the AWS CloudFormation console may not give reliable results. You also can encounter these side effects if you modify your CloudFormation resource outside the AWS CloudFormation console.
+If you do not add the proper permissions, you can experience some side-effects that we refer to as _false positive or false negative CloudFormation drift_. During CloudFormation drift, the **Detect drift** command in the CloudFormation console may not give reliable results. You also can encounter these side effects if you modify your CloudFormation resource outside the CloudFormation console.
@@ -51 +51 @@ If you do not add the proper permissions, you can experience some side-effects t
-If you provision a resource, including a tag, with AWS CloudFormation, it is important to update the resource through AWS CloudFormation only.
+If you provision a resource, including a tag, with CloudFormation, it is important to update the resource through CloudFormation only.
@@ -53 +53 @@ If you provision a resource, including a tag, with AWS CloudFormation, it is imp
-When you experience _false positive_ CloudFormation drift, the AWS CloudFormation console shows a **Modified** status (drifted) for a resource, although you are not aware of making any modifications. In this situation, the status means that you have not added the `ListTagsforResource` permission. When the permission is not present in the role, the `ReadHandler` cannot read the tags. AWS CloudFormation returns an error, because it cannot tell whether the resource actually was modified. The error is surfaced as **Modified** status.
+When you experience _false positive_ CloudFormation drift, the CloudFormation console shows a **Modified** status (drifted) for a resource, although you are not aware of making any modifications. In this situation, the status means that you have not added the `ListTagsforResource` permission. When the permission is not present in the role, the `ReadHandler` cannot read the tags. CloudFormation returns an error, because it cannot tell whether the resource actually was modified. The error is surfaced as **Modified** status.
@@ -55 +55 @@ When you experience _false positive_ CloudFormation drift, the AWS CloudFormatio
-When you experience _false negative drift_ the CloudFormation console shows a resource as unmodified, when in fact, it has been modified. This situation means that the AWS Control Tower `EnabledControl` resource has tags, but CloudFormation cannot retrieve those tags. In this case, two things must have occurred: the resource has been modified outside AWS CloudFormation, which is not a recommended practice, and also the `ListTagsforResource` permission was not added to the policy.
+When you experience _false negative drift_ the CloudFormation console shows a resource as unmodified, when in fact, it has been modified. This situation means that the AWS Control Tower `EnabledControl` resource has tags, but CloudFormation cannot retrieve those tags. In this case, two things must have occurred: the resource has been modified outside CloudFormation, which is not a recommended practice, and also the `ListTagsforResource` permission was not added to the policy.